To install and run a service DLL compiled with MinGW on Kali, I execute following commands from a BAT file with an elevated command prompt:

copy SvcHostDemo.dll %SystemRoot%\System32\SvcHostDemo.dll sc create SvcHostDemo binPath= ^%%SystemRoot^%%"\system32\svchost.exe -k mygroup" type= share start= demand reg add HKLM\SYSTEM\CurrentControlSet\services\SvcHostDemo\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%%SystemRoot^%%\System32\SvcHostDemo.dll /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v mygroup /t REG_MULTI_SZ /d SvcHostDemo /f

Line 1 copies the DLL to system32.

Line 2 creates a service with name SvcHostDemo, that will start svchost.exe with service host group “mygroup”. The service can run in a shared svchost process, and it needs to be started manually.

Line 3 creates the registry entry ServiceDll referring to SvcHostDemo.dll.

Line 4 creates the service host group “mygroup” under the key for svchost. This service host group contains the service SvcHostDemo.

These commands create the following registry entries:

On a 64-bit Windows system, system32\svchost.exe is a 64-bit application and thus the service DLL needs to be a 64-bit DLL.

On a 32-bit Windows system, system32\svchost.exe is a 32-bit application and thus the service DLL needs to be a 32-bit DLL.

 

To start the service from the command line, the following command can be issued from an elevated command prompt: sc start SvcHostDemo.

Since service SvcHostDemo is the only service of service host group mygroup, starting the service causes a svchost.exe process to be created and the DLL is loaded inside this new process.

To pause the service: sc pause SvcHostDemo.

To resume the service: sc continue SvcHostDemo.

To stop the service: sc stop SvcHostDemo.

And since service SvcHostDemo is the only service of service host group mygroup, stopping the service causes the svchost.exe process to be terminated.

 

The many debug messages generated by this demo service can be viewed with DebugView. Run dbgview.exe elevated and enable “Capture Global Win32”, otherwise debug messages from a service (running under the local system account) will no be captured and displayed.

This service can also run inside an existing service host group, like netsvcs. To achieve this, line 2 of the commands above needs to use service host group netsvcs in stead of mygroup. And line 4 is not needed, but the existing multistring netsvcs under key Svchost needs to be updated to include SvcHostDemo. This change requires a reboot of the Windows machine to become effective.

With these changes, starting the service results in loading of the DLL in the existing svchost.exe process for the netsvcs service host group.

Stopping the service does not result in termination of the svchost.exe process, as it is hosting many other Microsoft Windows services.

To unload the DLL from the svchost.exe process when the service is stopped, set registry value ServiceDllUnloadOnStop under Parameters to 1.

reg add HKLM\SYSTEM\CurrentControlSet\services\SvcHostDemo\Parameters /v ServiceDllUnloadOnStop /t REG_DWORD /d 1 /f

 

If the name of the service function is not ServiceMain, but another name like RunThisService for example, then registry value ServiceMain under Parameters can be set to RunThisService.

reg add HKLM\SYSTEM\CurrentControlSet\services\SvcHostDemo\Parameters /v ServiceMain /t REG_SZ /d RunThisService /f

 

I used Windows 7 to demo this, as shared services on Windows 10 behave differently. Starting with Windows 10 version 1703, a service host refactoring took place and on machines with more than 3.5 GB of RAM each service DLL has its own svchost process, regardless of service host groups. This resulted in a change in the ImagePath registry entries. On Windows 10 machines version 1703 and later, almost all ImagePath entries for “svchost.exe -k servicegroup” have an extra option “-p”, like this: “svchost.exe -k servicegroup -p”. One of the very few svchost services not having this -p option, is the BTAGService service.

I still need to figure out what this option -p means exactly.

Quickpost info

Compiling a service DLL (a Windows DLL implementing a service to be executed inside a shared svchost.exe process) with MinGW on Kali, is almost the same as compiling a DLL.

A service DLL implements a service and must export a ServiceMain function. To prevent name mangling of the exported function, the ServiceMain definition needs to be ‘extern “C”‘:

extern “C” VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR* lpszArgv)

And we need a DEF file:

LIBRARY SvcHostDemo EXPORTS ServiceMain

This DEF file can be passed as argument to the MinGW compiler.

To create a 32-bit DLL:

i686-w64-mingw32-gcc -shared -municode -o SvcHostDemo.dll SvcHostDemo.def SvcHostDemo.cpp

To create a 64-bit DLL:

x86_64-w64-mingw32-gcc -shared -municode -o SvcHostDemo.dll SvcHostDemo.def SvcHostDemo.cpp

Option -municode is needed because I use TCHARs and want to compile a UNICODE executable.

Here is the code of my service template:

#define _UNICODE #include #include #include #include SERVICE_STATUS_HANDLE g_serviceStatusHandle = nullptr; HANDLE g_hSvcStopEvent = NULL; SERVICE_STATUS g_serviceStatus = {SERVICE_WIN32_SHARE_PROCESS, SERVICE_START_PENDING, SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_PAUSE_CONTINUE}; BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) { OutputDebugString(L"DllMain"); switch (dwReason) { case DLL_PROCESS_ATTACH: OutputDebugString(L"DLL_PROCESS_ATTACH"); break; case DLL_THREAD_ATTACH: OutputDebugString(L"DLL_THREAD_ATTACH"); break; case DLL_THREAD_DETACH: OutputDebugString(L"DLL_THREAD_DETACH"); break; case DLL_PROCESS_DETACH: OutputDebugString(L"DLL_PROCESS_DETACH"); break; } return TRUE; } DWORD WINAPI HandlerEx(DWORD dwControl, DWORD dwEventType, LPVOID lpEventData, LPVOID lpContext) { switch (dwControl) { case SERVICE_CONTROL_STOP: OutputDebugString(L"HandlerEx SERVICE_CONTROL_STOP"); g_serviceStatus.dwCurrentState = SERVICE_STOPPED; SetEvent(g_hSvcStopEvent); break; case SERVICE_CONTROL_SHUTDOWN: OutputDebugString(L"HandlerEx SERVICE_CONTROL_SHUTDOWN"); g_serviceStatus.dwCurrentState = SERVICE_STOPPED; SetEvent(g_hSvcStopEvent); break; case SERVICE_CONTROL_PAUSE: OutputDebugString(L"HandlerEx SERVICE_CONTROL_PAUSE"); g_serviceStatus.dwCurrentState = SERVICE_PAUSED; break; case SERVICE_CONTROL_CONTINUE: OutputDebugString(L"HandlerEx SERVICE_CONTROL_CONTINUE"); g_serviceStatus.dwCurrentState = SERVICE_RUNNING; break; case SERVICE_CONTROL_INTERROGATE: OutputDebugString(L"HandlerEx SERVICE_CONTROL_INTERROGATE"); break; default: OutputDebugString(L"HandlerEx default"); break; } SetServiceStatus(g_serviceStatusHandle, &g_serviceStatus); return NO_ERROR; } DWORD WINAPI Worker(LPVOID lpParam) { while (TRUE) { if (g_serviceStatus.dwCurrentState == SERVICE_RUNNING) OutputDebugString(L"Working ..."); Sleep(1000); } } extern "C" VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR* lpszArgv) { TCHAR szOutput[256]; DWORD dwIter; OutputDebugString(L"Begin ServiceMain"); StringCchPrintf(szOutput, 256, L"dwArgc = %d", dwArgc); OutputDebugString(szOutput); for (dwIter=0; dwIter 0) g_serviceStatusHandle = RegisterServiceCtrlHandlerExW(lpszArgv[0], HandlerEx, nullptr); else g_serviceStatusHandle = RegisterServiceCtrlHandlerExW(L"SvcHostDemo", HandlerEx, nullptr); if (!g_serviceStatusHandle) { OutputDebugString(L"Error 1 ServiceMain"); return; } g_hSvcStopEvent = CreateEvent(NULL, TRUE, FALSE, NULL); if (g_hSvcStopEvent == NULL) { OutputDebugString(L"Error 2 ServiceMain"); return; } g_serviceStatus.dwCurrentState = SERVICE_RUNNING; SetServiceStatus(g_serviceStatusHandle, &g_serviceStatus); OutputDebugString(L"Starting Worker ServiceMain"); if (NULL == CreateThread(NULL, 0, Worker, NULL, 0, NULL)) { OutputDebugString(L"Error 3 ServiceMain"); return; } OutputDebugString(L"Waiting ServiceMain"); WaitForSingleObject(g_hSvcStopEvent, INFINITE); OutputDebugString(L"End ServiceMain"); }

Quickpost info